PT-2025-7796 · Go Jose+5 · Go-Jose+5

Mcpherrin

·

Publicado

2025-02-24

·

Atualizado

2026-02-20

·

CVE-2025-27144

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Go JOSE versions 4.0.0 through 4.0.4
Description The issue is related to excessive memory consumption when parsing compact JWS or JWE input. The code uses strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of . characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
Recommendations For versions 4.0.0 through 4.0.4, update to version 4.0.5 to fix the issue. As a temporary workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of . characters.

Exploit

Correção

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-400CWE-770

Identificadores relacionados

ALSA-2025:19566
ALSA-2025:7389
ALSA-2025:7397
ALSA-2025:7459
ALSA-2025:7462
ALSA-2025:7467
AZL-57096
AZL-57099
AZL-57102
AZL-57105
AZL-57108
AZL-57111
AZL-57114
AZL-57117
AZL-57120
AZL-57123
AZL-57126
AZL-57129
AZL-57132
AZL-57135
AZL-57138
AZL-57144
AZL-57147
AZL-57153
AZL-57162
AZL-57165
AZL-57168
AZL-57171
AZL-57174
AZL-57177
AZL-57180
AZL-57183
AZL-57186
AZL-57192
AZL-57195
AZL-57198
AZL-57201
AZL-57204
AZL-57207
BDU:2025-08606
CVE-2025-27144
ECHO-B02B-0D2E-92A7
GHSA-C6GW-W398-HV78
GO-2025-3485
INFSA-2025_19594
INFSA-2025_3335
INFSA-2025_7389
INFSA-2025_7391
INFSA-2025_7397
OESA-2025-2176
OESA-2025-2177
OESA-2025-2233
OESA-2025-2258
OESA-2025-2297
OPENSUSE-SU-2025:0080-1
OPENSUSE-SU-2025:14839-1
OPENSUSE-SU-2025:14840-1
OPENSUSE-SU-2025:14865-1
OPENSUSE-SU-2025:14871-1
OPENSUSE-SU-2025:14889-1
OPENSUSE-SU-2025:14909-1
OPENSUSE-SU-2025:14988-1
OPENSUSE-SU-2025:14990-1
OPENSUSE-SU-2025:15158-1
OPENSUSE-SU-2025:15304-1
OPENSUSE-SU-2025:15305-1
OPENSUSE-SU-2025:15307-1
OPENSUSE-SU-2025:20117-1
OPENSUSE-SU-2025_0772-1
OPENSUSE-SU-2025_0775-1
OPENSUSE-SU-2025_0785-1
OPENSUSE-SU-2025_0786-1
OPENSUSE-SU-2025_0811-1
OPENSUSE-SU-2025_0812-1
OPENSUSE-SU-2025_0813-1
OPENSUSE-SU-2025_0980-1
OPENSUSE-SU-2025_1011-1
OPENSUSE-SU-2025_1014-1
OPENSUSE-SU-2025_1017-1
OPENSUSE-SU-2025_1018-1
OPENSUSE-SU-2025_1036-1
OPENSUSE-SU-2025_1037-1
OPENSUSE-SU-2025_1038-1
OPENSUSE-SU-2025_1332-1
OPENSUSE-SU-2025_1333-1
OPENSUSE-SU-2026:10230-1
OPENSUSE-SU-2026:20654-1
OPENSUSE-SU-2026:20730-1
OPENSUSE-SU-2026:20798-1
RHSA-2025:19566
RHSA-2025:19594
RHSA-2025:3061
RHSA-2025:3068
RHSA-2025:3335
RHSA-2025:3593
RHSA-2025:7389
RHSA-2025:7391
RHSA-2025:7397
RHSA-2025:7407
RHSA-2025:7459
RHSA-2025:7462
RHSA-2025:7467
RHSA-2025:7479
RHSA-2025_19594
RHSA-2025_3335
RHSA-2025_7389
RHSA-2025_7391
RHSA-2025_7397
RHSA-2025_7407
SUSE-RU-2025:02091-1
SUSE-RU-2025:02092-1
SUSE-RU-2025:02093-1
SUSE-SU-2025:01985-1
SUSE-SU-2025:0772-1
SUSE-SU-2025:0775-1
SUSE-SU-2025:0785-1
SUSE-SU-2025:0786-1
SUSE-SU-2025:0811-1
SUSE-SU-2025:0812-1
SUSE-SU-2025:0813-1
SUSE-SU-2025:0980-1
SUSE-SU-2025:1009-1
SUSE-SU-2025:1010-1
SUSE-SU-2025:1011-1
SUSE-SU-2025:1014-1
SUSE-SU-2025:1017-1
SUSE-SU-2025:1018-1
SUSE-SU-2025:1036-1
SUSE-SU-2025:1037-1
SUSE-SU-2025:1038-1
SUSE-SU-2025:1332-1
SUSE-SU-2025:1333-1
SUSE-SU-2025:20143-1
SUSE-SU-2025:20179-1
SUSE-SU-2025:20198-1
SUSE-SU-2025:20279-1
SUSE-SU-2025:20363-1
SUSE-SU-2025:20869-1
SUSE-SU-2025_0772-1
SUSE-SU-2025_0785-1
SUSE-SU-2025_0786-1
SUSE-SU-2025_0811-1
SUSE-SU-2025_0812-1
SUSE-SU-2026:0439-1
SUSE-SU-2026:0592-1

Produtos afetados

Almalinux
Go-Jose
Red Hat
Red Os
Rocky Linux
Suse